Modelling a feed-water control system of a steam generator in the framework of the dynamic reliability

HAL Id: hal-00872422

https://hal.archives-ouvertes.fr/hal-00872422

Submitted on 12 Oct 2013

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Modelling a feed-water control system of a steam generator in the framework of the dynamic reliability

Génia Babykina, Nicolae Brinzei, Jean-François Aubry, Gilles Deleuze

To cite this version:

Génia Babykina, Nicolae Brinzei, Jean-François Aubry, Gilles Deleuze. Modelling a feed-water control system of a steam generator in the framework of the dynamic reliability. Annual Conference of the European Safety and Reliability Association, ESREL 2013, Sep 2013, Amsterdam, Netherlands.

pp.3099-3107. �hal-00872422�

Modelling a feed-water control system of a steam generator in the framework of the dynamic reliability

G. Babykina, N. Brˆınzei, & J.-F. Aubry

CRAN CNRS UMR 7039, Universit´e de Lorraine, ENSEM

2, avenue de la Fˆoret de Haye, 54516 Vandœuvre-les-Nancy, FRANCE Tel.: +33(0)3 83 59 56 36, Fax: +33 (0)3 83 59 56 44

e-mail: {genia.babykina, nicolae.brinzei, jean-francois.aubry} @ univ-lorraine.fr

G. Deleuze

Electricit´e de France (EDF) R&D Management des Risques Industriels ´ 1, avenue de G´en´eral de Gaulle, 92141 Clamart, FRANCE

e-mail: gilles.deleuze@edf.fr

ABSTRACT: The paper deals with the exploration of an industrial complex system behaviour and its prob- abilistic safety assessment (PSA). The main purposes are to build a model which realistically represents the system structure, to carry out the Monte Carlo study of the system behaviour and to perform the analysis of system reliability. The complexity of the system consists in its structure, size, dynamic operational behaviour, complex interactions between the system and its environment, etc. The theoretical framework chosen is the dynamic reliability approach allowing to account for all of these properties. The Stochastic Hybrid Automaton (SHA), seen as a flexible representation of the Piecewise Deterministic Markov Process, is a suitable tool to si- multaneously represent continuous and discrete, stochastic and deterministic phenomena, and is thus employed as a formal model to draw the system structure and behaviour. This formal model (SHA) is effectively imple- mented in Scilab/Scicos open source freeware. This tool is efficient to simulate both the differential equations and discrete state changes when events occur. The differential equations represent the continuous evolution of physical variables describing the dynamic operational behaviour. The discrete states describe the various operating and dysfunctional modes of the system. A real-life system is used to perform a case study of the proposed approach. Precisely, within the French research project APPRODYN (APPROches de la fiabilit´e DY- Namique pour mod´eliser des syst`emes critiques - Dynamic reliability approaches to model critical systems), the feed-water control system of a steam generator of a pressurised water nuclear reactor is modelled. This system consists of different interacting components which simultaneously function according to the power demand.

The power is a continuous variable representing operational behaviour. The built behavioural model and per- formed Monte Carlo simulations are used to study the trajectories of the system behaviour and to evaluate the probability of critical events occurrence.

1 INTRODUCTION

Real-world industrial systems are often complex in terms of their size, the structure of interactions be- tween system components, the dynamic operational behaviour, ageing, etc. Thus, elaborated methods are needed to model behaviour of such systems and to assess their reliability. Traditional approaches to the reliability assessment not accounting for the dynamic structure function of a system (event and fault trees, reliability block diagrams, etc.) are often not suit- able in this sense, whereas the dynamic reliability ap-

proach, covering a wide range of phenomena men- tioned above, is a convenient framework to model the behaviour of complex systems operating in a dynamic environment.

The general solution for dynamic reliability can be

approached by exact methods (finding analytical solu-

tions of system equations) or by approximation (using

numerical methods or by means of Monte Carlo sim-

ulations). Exact analytical solutions are rather com-

plex and require simplifying hypotheses as for the

modelled system, whereas Monte Carlo simulations

allow realistic modelling and provide abundant data

for comprehensive statistical analysis.

In this paper two approaches to the dynamic reli- ability problem are presented: the Piecewise Deter- ministic Markov Process (PDMP) and the Stochas- tic Hybrid Automaton (SHA), which can be seen as an alternative and a more flexible formulation of the PDMP. A feed-water control system of a power plant steam generator is used as a case study to illustrate how the SHA can be applied to model a complex sys- tem operating in a dynamic environment and to assess its reliability. The paper is organized as follows. The theoretical framework of the employed methodology (dynamic reliability, PDMP and SHA) is summarised in Section 2. The system considered as a case study is described in Section 3. Section 4 deals with the imple- mentation procedure, and some results are presented in Section 5. Conclusions and perspectives are given in Section 6.

2 THEORETICAL BACKGROUND

2.1 Mathematical model for dynamic reliability The dynamic reliability is defined by Labeau et al.

(2000) as a part of probabilistic safety analysis, study- ing the behaviour of human-machine interface sys- tems affected by underlying dynamic evolution. More specifically, it is supposed that a system is represented by a state-transition graph, where the state is a com- bination of states of system components; the system’s dynamic behaviour is represented by a set of contin- uous variables whose deterministic dynamics is for- malised by a system of differential equations with co- efficients depending on the system states (Cocozza- Thivent et al. 2006). Thus, the dynamic reliability al- lows accounting for numerous characteristics of com- plex systems, such as the interactions between con- tinuous process variables and system components, for the dynamic behaviour of its components, stochas- tic and deterministic events characterising the transi- tions, etc.

The mathematical model for the dynamic reliabil- ity is proposed by Devooght and Smidts (1992) and is further approached by Devooght and Smidts (1996), Izquierdo et al. (1996), Marseguerra et al. (1998), Labeau et al. (2000). The model relies on the Marko- vian assumption and generally gives the analytical ex- pression for the probability for a system to be in a certain state at a certain time, given the environmen- tal conditions. The formal definition for the dynamic reliability problem is given below.

Definition 2.1 (Mathematical model for dynamic re- liability).

Let:

• i = (i(1), i(2), · · · i(N )) be a vector of discrete states combination of N system components; this vector defines a state of the system;

• x x x ∈ R

be a vector of state variables describ- ing the system behaviour and deterministically evolving in time t according to a state-specific systems of differential equations fff

(x x x(t), t) = dx x x(t)/dt, with its solution x x x(t) = ggg

(x x x

, t), x x x

being the initial values for state variables;

• λ

(x x x) be the global transition rate from the state j as a function of physical variables;

• p (j → i | x x x) be the specific transition rate from state j to state i, knowing the trajectory of phys- ical variables, with λ

(x x x) = P

j6=i

p (j → i |x x x) ;

• π (x x x, i, t) be the probability density for a system to be in state i at time t with the physical vari- ables vector u u u being equal to x x x , obeying gen- eralised Chapman-Kolmogorov equations (De- vooght and Smidts 1992);

• δ(·) be the Dirac delta function.

The mathematical model for the dynamic reliability of a system is then defined as follows:

π (x x x, i, t) = Z

xx x0

π (u u u, i, 0) δ (x x x − ggg

(u u u, t))

exp

− Z

0

λ

(ggg

(u u u, s)) ds

du u u

+ X

j6=i

Z

p (j → i | u u u) du u u

× Z

0

δ (x x x − ggg

(u u u, t − τ ))

× exp

− Z

0

λ

(ggg

(u u u, s)) ds

×π (u u u, j, τ ) dτττ , (1) where π (u u u, i, 0) is the probability for a system to be in state i at time t = 0 given the values of physi- cal variables u u u , the Dirac δ function δ (x x x − ggg

(u u u, t)) indicates among all possible trajectories of physical variables those leading to values x x x at time t , and exp h

− R

0

λ

(ggg

(u u u, s)) ds i

is the reliability at time t .

The first additive term of Eq. (1) is interpreted as the

probability to be in a discrete state i at time t = 0 and

to remain in this state until time t; this term is inte-

grated over all possible trajectories of physical vari-

ables. The second additive term of Eq. (1) is inter-

preted as the probability to go to the discrete state i

from any other state j 6= i at time τ < t and to remain

in state i during the period [τ, t], regardless the trajec-

tory followed by the system before entering the state j

(Markovian assumption); this term is integrated over all possible trajectories of physical variables and over all possible time instants τ .

Analytical solution of Eq. (1) is only possible for simple systems (Labeau et al. 2000), a review of ap- proximative methods can be found in Labeau et al.

(2000), P´erez Casta˜neda (2009), Aldemir (2013).

Among these methods the Piecewise Deterministic Markov Process (PDMP) model (Dufour and Dutuit 2002, Zhang et al. 2008) and Monte Carlo simula- tions based on different types of state-transition mod- els (Dutuit et al. 1997, Distefano et al. 2012, among others) are widely used.

2.2 Piecewise Deterministic Markov Process The PDMP (Davis 1984) is used as a semi-analytical method to approximate the solution of Eq. (1). Its def- inition is given below.

Definition 2.2 (Piecewise Deterministic Markov Process).

Piecewise Deterministic Markov Process PDMP is a process Y

= (m

,X X X

) , where

• t indicates time and will further be omitted in subscripts for simplicity;

• m ∈ M , with M a countable set, are discrete modes corresponding to vector of states i in Def- inition 2.1;

• X X X ∈ R

is a set of real state variables corre- sponding to vector xxx in Definition 2.1.

The PDMP is determined by a set of local character- istics in each mode m :

• E

an open subset of R

with its boundary ∂E

and its closure E ¯

;

• φ

: R

× R → R

is a flow; the flow corre- sponds to the deterministic dynamics defined by g

(·) in Definition 2.1;

• λ

: ¯ E

→ R

is an intensity of random jumps corresponding to λ

(·) in Definition 2.1;

• Q

is a Markov kernel on E ¯

B E ¯

with B(·) a Borel set; the Markov kernel selects the post-jumps locations for the process and cor- responds to the transition rate p(·) of Defini- tion 2.1.

Two types of jumps between modes are possible in the PDMP framework:

• deterministic jumps at times t

(m,X X X) = inf{t >

0 : φ

(X X X, t) ∈ ∂E

};

• stochastic jumps occurring according to a prob- ability, for example, the probability of the first jump at time T

, P

(T

> t), or P (T

) for simplicity, is

P (T

) = (

exp h

− R

0

λ

(φ

(X X X, s)) ds i

if t < t

0 if t ≥ t

.

The PDMP is a theoretical model allowing the analyt- ical or semi-analytical resolution of the dynamic reli- ability problem and analytical assessment of system reliability parameters. This model is however limited due to its complexity and is not suitable for large and complex systems. In this sense, the Stochastic Hybrid Automaton, which can be seen as an alternative for- mulation of the PDMP intented to perform the Monte Carlo simulations, is more convenient.

2.3 Stochastic Hybrid Automaton

We formally introduce the SHA in Definition 2.3, fol- lowing Perez Casta˜neda et al. (2011).

Definition 2.3 (Stochastic Hybrid Automaton SHA).

The Stochastic Hybrid Automaton (SHA) is for- mally defined as an 11-uplet:

SHA = (X , E , A,X X X, A, H, F, P, χ

,X X X

,P P P

) with:

• X a finite set of discrete states {χ

, · · · , χ

};

• E is a finite set of deterministic or stochastic events {e

, · · · , e

};

• X X X is a finite set of real variables evolving in time {X

, · · · , X

};

• A is a finite set of arcs of the form (χ, e

, G

, R

, χ

) where χ and χ

are respec- tively the origin and the goal discrete states of the arc k , e

is the event associated to this arc, G

is the guard condition on X X X in the state χ and R

is the reset function of X X X in the state χ

;

• A : X × X X X → ( R

→ R ) is a function of ”ac- tivities”, describing the evolution of continuous variables in each discrete state;

• H is a finite set of clocks on R ;

• F : H → ( R → [0, 1]) is an application that as- sociates a distribution function to each clock;

• P = p

is a matrix of discrete probability dis- tributions where p

is a probability of transi- tion from χ

to χ

on occurrence of event e : p χ

|χ

, e

;

• χ

,X X X

,P P P

are the initial conditions.

Detailed interpretation of Definition 2.3 are given by P´erez Casta˜neda (2009) and Babykina et al. (2011).

The SHA can be seen as an alternative representa- tion of the PDMP in the following:

• The set of discrete states X of the SHA corre- sponds to the modes M of the PDMP.

• Both frameworks (SHA and PDMP) are charac- terised by a set of physical variables, X X X.

• The flow φ

of the PDMP characterises the tra- jectories of physical variables in each state and corresponds to the activities function A of the SHA.

• The Markov kernel Q

of the PDMP is a matrix [Q

(t)] representing the probabilities of transi- tions from state i to state j in the time inter- val [0, t]. In this sense the Markov kernel of the PDMP contains a discrete probability part and a continuous probability part. The discrete proba- bility part corresponds to the matrix P =

p

of the SHA. We define: Q

(∞) =

p

.

The continuous probability part characterises the distribution functions of moments of jumps from state i to state j: F

(t) = Q

(t)/p

. This part of the kernel corresponds to the F application of SHA.

• The guard conditions G of the SHA correspond to the definitions of deterministic times of jumps for the PDMP.

The SHA allows considering non exponential prob- ability distributions, used to represent, for example, an intrinsic components ageing, as well as non tem- poral probability distributions, used to represent, for example, ageing by the number of a component solic- itation (Perez Casta˜neda et al. 2011, Babykina et al.

2011).

The application of the SHA as a model for simula- tions is illustrated on a case study.

3 CASE STUDY DESCRIPTION

The considered case study is a system of water level regulation in the steam generator (SG) of a nuclear power plant. Several components provide this mis- sion. The states of these components are conditioned by stochastic events, representing failures and repara- tions, and by deterministic evolution of a continuous variable, which is a demanded power. A brief descrip- tion of the case study is given in the present section, for details one can refer to Aubry et al. (2012, the book chapter).

3.1 Physical system

The modelled system is composed of the following components:

• The turbo pumps (TPA) providing the feed water to the SG. There are two TPAs functioning at the same time. Each TPA is composed of in-turbine part (T) and out-of-turbine part (OT), serially op- erating: if one part (T or OT) of the TPA fails, the entire TPA is stopped.

• Feed water valves (ARE) controlling the incom- ing water flow to the SG. There are two AREs:

a heavy-flow valve (AREGD) and a small-flow valve (AREPD) used to precise flow regulations.

• Extracting pumps (CEX) maintaining the vac- uum under the condenser, providing the cooled feed water to the SG. There are three CEX pumps, operating in two-out-of-three (2 oo 3).

• The cylinder VVP, containing steam which pro- vides the functioning of the TPAs and of the other not modelled components in case of the SG failure. The VVP is a passive system and its fail- ures include the failures of other passive systems (tanks, heaters, dryers, etc.).

Finally, the control system responsible for water level regulation in the SG is accounted for in the model.

This system is represented by the PID controller, defining the water flow rate Q

needed to maintain the water level at a given reference value as a function of the actually measured water level N

.

The reliability diagram of the secondary circuit, considered in the present study, is given in Fig. 1.

VVP

TPA (T)

TPA (T) TPA (OT)

TPA (OT)

AREs CEX

CEX CEX

Figure 1: The reliability diagram of the modelled system.

Each of the mentioned sub-systems (components) is characterised by different failure modes, the fail- ure may occur during operation or on demand (block- ing of valves, refusal to open/close valves and pumps, etc.). The failures may be detected immediately or with a delay and reparation strategies depend on fail- ure types.

3.2 Operational behaviour and global system functioning

The states of sub-systems are also conditioned by the

power required from the power plant P . Power is a

continuous time-dependent variable which represents

the dynamic operational environment of the system and which is expressed as a percent of a nominal power (P

). A specific scenario of power evolution, corresponding to a normal cycle of the power plant, is considered in the case study: the start-up of the system is quite slow, once a full power reached, the system re- mains in a stationary position, and after a certain time period of duration T , the slow shut-down of the sys- tem is performed (we refer to Aubry et al. (2012, the book chapter, Section 8.4.3, scenario 1) for details on power evolution).

The interactions between the system components and between the system and its environment can be summarised as follows. We assume that the power required from the power plant defines the reference value for the water level in the SG. The PID controls the feed water flow rate necessary to attain this refer- ence value, this command is sent to the ARE valve, which adapts its position according to the required flow rate. The water level in the SG is then adapted to the required power. The ARE valves can fail, thus not being able to provide the demanded flow rate, in this case the water level will not be adjusted to the required value. This process is represented in Fig. 2.

The nominal (without failures) operation of the global system, according to the power evolution sce- nario, is the following.

1. The power increases from 0%P

to 2%P

by 0.2%P

by hour. This power increase is provided by a security system not modelled in our case. At 2%P

the sub-systems are switched-on in a spe- cific order:

(a) Start-up of the the CEX pumps.

(b) Start-up of the small-flow valve AREPD once the CEX are successfully launched.

(c) Start-up of one of the TPA pumps once the AREPD is successfully launched.

2. The power increases from 2%P

to 10%P

by 0.8%P

by hour.

3. The power increases from 10%P

to 15%P

by 22.5%P

by hour. Once the power reaches 15%P

, the sub-systems are demanded in a spe- cific order:

(a) Start-up of the heavy-flow valve AREGD.

(b) Shut-down of the small-flow valve AREPD once the AREGD is successfully launched.

4. The power increases from 15%P

to 60%P

by 22.5%P

by hour. Once the power reaches 60%P

, the sub-systems are demanded in a spe- cific order:

(a) Start-up of the second TPA.

(b) The power increase is allowed once the sec- ond TPA is successfully launched.

5. The power increases from 60%P

to 100%P

by 22.5%P

by hour. Once the power reaches 100%P

, the system operates normally during a certain time period T , after which the power decrease is carried out and the sub-systems are shut-down following the pattern symetric to this used during the power increase.

Note that the states of the ARE valves are directly linked to the system dynamics since the flow rate is adjusted according to the demanded power. The TPA pumps influence the power by their failures: when only one of the two TPA is functioning, the power (and thus the water level in the SG) is to be de- creased to 60%P

. Symmetrically, at this level of the required power, one TPA is sufficient. CEX pumps and VVP are independent systems. Some of their fail- ures may however cause the automatic reactor shut- down (ARR), and thus the power forcing to 0%, re- quiring the shut-down of all other systems. The pre- cise specification of the system functioning is given in Aubry et al. (2012, the technical report, Section 4.8).

4 IMPLEMENTATION OF THE CASE STUDY 4.1 Model building

The automata of the sub-systems are partially built by means of the parallel composition technique (Cassan- dras and Lafortune 1999). The idea is to model el- ementary sub-systems separately and combine those by a formal operation of synchronisation, using the al- phabets (sets of events) of elementary automata. The parallel composition is employed to build the models of strongly linked components: the three CEX pumps and their interactions, in-turbine and out-of-turbine parts of the TPA pumps. The CEX global automaton is composed of three identical elementary CEX au- tomata, accounting for pump failures during operation and during the stand-by period and of the specifica- tion automaton, coordinating the simultaneous func- tioning of these three CEX. The formal model for the TPA is composed of the in-turbine part of a TPA, its out-of-turbine part and the specification automaton coordinating their in-series functioning.

Functioning of the ARE valves and the VVP are represented by separate elementary automata.

The simultaneous functioning of different sub- systems in their operational environment is governed by a deterministic control automaton. The relevant behaviour of the whole system is provided by means of message sharing (Moalla et al. 1978, Dutuit et al.

1997). Precisely, the control automaton gives orders to and receives the responses from the sub-systems.

These orders and responses are formalised by the

variables shared between the different automata. The

power evolution is modelled within the control au-

tomaton. This procedure is illustrated in Fig. 3 (nor-

mal failure-free power increase as described in Sec-

tion 3.2) and in Fig. 4 (the case when one of the TPAs

Power P,(%)

Q^c_e=f N_ge^r PID

Nr ge

=f(P)

CEX CEX CEX VVP ARE

Qr e=f(Q

c e),XARE SG

N_ge=f(Q_e^r)

TPA (T)

TPA (OT)

xxx(t) = A(t)x˙ xx(t) + B(t)uuu(t) yyy(t) = C(t)xxx(t)

TPA (OT) TPA (T)

Time

Figure 2: Case study system model and dynamics: scheme. N

: actual measured water level; N

: reference water level; Q

: com- mand value for feed water rate; X ARE: state of the ARE; Q

: real value of feed water rate. Dashed lines: modelled continuous variables.

Changeinstate equation

Controlautomaton

!O(CEX)

!OK O

!O(AREPD)

!OK O

!O(TPA1)

!OK O

!up

!O(AREGD)

3 CEX AREPD AREGD 2 TPA Power

Controlautomaton

!C(AREPD)

!OK C

!up

3 CEX AREPD AREGD 2 TPA Power

!OK O

Controlautomaton

!up

3 CEX AREPD AREGD 2 TPA Power

!O(TPA2)

!OK O

0%P_n 2%Pn 10%P_n

Changeinstateequation

15%P_n 60%P_n

Powerevolution

100%Pn Time

Figure 3: Simultaneous functioning of sub-systems during the power increase: schematic representation. ”!O(X)”: order to open for component X, ”!OK O”: successful opening, ”!C(X)”: order to close for component X, ”!OK C”: successful closure, ”!up”: order to start power increase, grey area represents power evolution. Boxes represent the automata of sub-systems.

!down

Power

Changeinstateequation

60%Pn

Powerevolution

100%Pn

Time Reparation

!fail Controlautomaton

!adjust

!fail

!up Power

Changeinstateequation

Controlautomaton !adjust

!repaired !repaired

100%Pn

spec.TPA TPA

spec.

TPA 1 AREGD TPA 1 AREGD

Figure 4: Simultaneous functioning of sub-systems in case of a failure in one of the TPA: schematic representation. ”!fail”: shared message indicating that TPA1 failed, ”down”: order to instantaneously decrease the power, ”!adjust”: order to adjust the water flow rate by valve position, ”!up”: order to start power increase, ”Reparation”: reparation procedure within the TPA1 automaton, grey area represents power evolution. Boxes represent the automata of sub-systems, ”TPA spec.” being the specification automaton which coordinates operation of the two TPA.

fails during operation at full-power). The Fig. 4 rep- resents a simplified schema: it is supposed that other components do not fail during TPA reparation. The complete model accounts for failures of any compo- nent at any time instant.

4.2 Monte Carlo simulations

The constructed model is implemented in Scicos tool-

box of Scilab (Campbell et al. 2010), using the AU-

TOMATON block for the SHA implementation (Na-

jafi and Nikoukhah 2007). The details concerning the

case study implementation using this Scicos are pro-

OT 2,T 2,SP 3 2

OT 4,T 2,SP 4 3

OT 3,T 2,SP 5 4

OT 4,T 3,SP 6 OT 4,T 4,SP 5 5

OT 5,T 1,SP 18 6 7

OT 4,T 3,SP 7 OT 1,T 12,SP 18 8

OT 6,T 1,SP 18 9 10

OT 8,T 3,SP 9

14 16 OT 9,T 3,SP 9 15 OT 4,T 9,SP 9

OT 1,T 5,SP 11 OT 10,T 5,SP 12 17

18

OT 14,T 1,SP 16 19

OT 1,T 11,SP 16 20

OT 1,T 1,SP 13 OT 1,T 6,SP 12 21

OT 13,T 3,SP 14 22

23 24 OT 15,T 1,SP 16

OT 1,T 1,SP 17 25

OT 4,T 7,SP 14 26

OT 16,T 3,SP 14 27

OT 4,T 8,SP 14

28 29OT 4,T 3,SP 15

OT 11,T 1,SP 16

30 32 OT 12,T 1,SP 16 31 OT 1,T 10,SP 16

on TPA

OT 1,T 1,SP 1 ok rep on TPA 1

ok on OT

fail on TPA fail on T ok on T

rep on OT fail rep on OT fail on TPA

rep on T ok rep on OT

OT 7,T 5,SP 10 11

OT 1,T 13,SP 18 12

OT 1,T 1,SP 19 13

ok off TPA fail rep on T

rep off OT

off TPA fail1 OT fail2 OT fail1 T

fail off OT ok off OT

fail TPA fail TPA

fail off TPA ok rep on T

fail rep off OT

fail off T ok off T

fail off TPA

rep off T

fail rep off T

ok rep off OT

fail TPA

rep fail1 OT

fail rep fail1 OT

rep fail2 OT

fail rep fail2 OT ok rep off TPA

rep fail1 T ok rep fail1 T

fail rep fail1 T ok rep fail2 OT

ok rep fail1 OT

ok rep off T ok on TPA

fail on OT

ok rep fail1 TPA

Figure 5: Global TPA automaton: result of parallel composition. Timed states are shaded, transitions representing messages sent to the automaton specifying the functioning of the two TPAs are in bold, transitions representing messages received from the automaton specifying the functioning of the two TPAs are dashed. Transitions characterised by variables shared with the control automaton are not represented for simplicity. The names of states correspond to combinations of elementary automata states (T: turbine, OT: out- of-turbine, SP: specification). The transitions are encoded as ”aa bb cc dd”. dd: the concerned component (turbine, out-of-turbine or whole TPA), cc: type of failure/action occurred (”fail1” for type I failure, ”fail2” for type II failure, ”on” for switching on, ”off” for switching off, ”fail” for failure of any type on the whole TPA), bb: general type of event (”fail” for failure, ”rep” for reparation), aa:

result of reparation (”ok” for successful reparation, ”fail” for failed reparation).

vided by Babykina et al. (2012, Section 4). The Monte Carlo simulations are carried out using certain param- eters (Aubry et al. 2012, the technical report, Section 4.8) for the system (failure and reparation times, fail- ure detection durations, probabilities of failure on de- mand, etc.)

5 RESULTS AND DISCUSSION

The conceived behavioural model of the case study and the results of Monte Carlo simulations based on its implementation as an SHA provide the data which allow the assessment of different safety and reliability parameters.

5.1 The obtained model

As a result we obtain a model composed of eight sub-systems: VVP, CEX, two TPAs, specification for the two TPAs, heavy- and small-flow AREs and the control automaton. These sub-systems exchange 62 shared variables, and the global system contains 488 states and 836 transitions. An example of the be- havioural model of one TPA is given in Fig. 5.

5.2 Safety and reliability assessment

The behavioural model, partially built by means of the parallel automata composition, allows qualitative analysis of system trajectories and identification of dangerous scenarios, even if those are rare and dif- ficult to capture by Monte Carlo simulations. In case of exponential probability distributions used for times of events, analytical evaluation of a specific scenario probability is also possible. For example, one can cal- culate the probability that an automatic reactor stop- ping (AAR) caused by failure of both TPA occurs dur- ing the power increase from 0% to 100%P

. For more details on such calculations one can refer to (Babyk- ina et al. 2012).

In more complicated cases, where the temporal

probability distributions are not exponential, Monte

Carlo simulations can be used to evaluate the fre-

quency of different scenarios (Aubry et al. 2012, the

book chapter, Section 8.3.5). For example, for a spe-

cific set of system parameters, using 111 simulated

histories for a case study, one trajectory resulted in

an AAR, in the large majority of cases the compo-

nents operated without failure, with the exception of

the TPA pumps. Only in approximately 20% of cases

the trajectories of TPA are failure-free, nearly half of the simulated trajectories had a failure while operat- ing in the in-turbine part of TPA. Around 12% of tra- jectories contained a functioning failure of the out-of- turbine TPA. These failures are successfully repaired in the majority of cases.

A formal method of parallel automata composition, used for model building, provides a precise and a rele- vant representation of system behaviour and allows an analytical assessment of system safety and reliability.

Nevertheless, this methodology results in a quite large and complicated model, leading to fastidious imple- mentation and to time-consuming Monte Carlo simu- lations. It is however a price to pay for elaboration of a formal model not needing any verification techniques.

6 CONCLUSION

In this paper the Stochastic Hybrid Automaton (SHA) is proposed to model and to analyse the behaviour of a feed-water control system of a power plant steam generator. The SHA is a particular formulation of a Piecewise Deterministic Markov Process, widely used in the framework of dynamic reliability. The be- havioural model of the considered system is built by means of parallel automata composition and shared variables, thus allowing a relevant simultaneous func- tioning of all the considered sub-systems. This be- havioural model allows analytical assessment of sys- tem performance. Carried out Monte Carlo simula- tions provide data for empirical assessment of reli- ability parameters. The SHA shows to be a suitable tool to model large complex systems operating in dy- namic environment. Such a model, thanks to its com- pleteness, is absolutely essential to track critical event sequences. Further work is needed to optimise the im- plementation procedure and to accelerate the simula- tions.

REFERENCES

Aldemir, S. (2013). A survey of dynamic methodologies for probabilistic safety assessment of nuclear power plants. An- nals of Nuclear Energy 52, 113–124.

Aubry, J.-F., G. Babykina, A. Barros, N. Brinzei, G. Deleuze, B. de Saporta, F. Dufour, Y. Langeron, & H. Zhang (2012).

Rapport final du projet APPRODYN : APPROches de la fi- abilit´e DYNamique pour mod´eliser des syst`emes critiques.

Technical report, collaboration CRAN, EDF R&D, INRIA- CQFD, UTT-ICD.

URL: http://hal.archives-ouvertes.fr/hal-

00740181 /PDF/Rapport final APPRODYN v7a NB.pdf.

Aubry, J.-F., G. Babykina, N. Brinzei, S. Medjaher, A. Bar- ros, C. B´erenguer, A. Grall, Y. Langeron, D. Ngoc Nguyen, G. Deleuze, B. de Saporta, F. Dufour, & H. Zhang (2012, August). The APPRODYN project: dynamic reliability ap- proaches to modeling critical systems. In Y. V. Nada Matta and J. Arlat (Eds.), Supervision and Safety of Complex Sys- tems, pp. 181–222. Wiley-ISTE. Chapter 8.

Babykina, G., N. Brinzei, J.-F. Aubry, G. Deleuze, et al. (2012).

Mod´elisation des syst`emes complexes critiques en fiabilit´e

dynamique par automates stochastiques hybrides, ´evaluation de leur comportement. Congr`es Lambda Mu 18.

Babykina, G., N. Brinzei, J.-F. Aubry, & G. Perez Casta˜neda (2011). Reliability assessment for complex systems operat- ing in dynamic environment. In Proceedings of the Euro- pean Safety and Reliability Conference ESREL 2011, Troyes, France, pp. 327–334.

Campbell, S., J. Chancelier, & R. Nikoukhah (2010). Mod- eling and Simulation in Scilab/Scicos with ScicosLab 4.4.

Springer.

Cassandras, C. & S. Lafortune (1999). Introduction to discrete event systems, Volume 11. Kluwer academic publishers.

Cocozza-Thivent, C., M. Desgrouas, & S. Mercier (2006). Al- gorithme de calcul de disponibilit´e asymptotique en fiabilit´e dynamique. In Proceedings of Colloque National de Fiabilit´e et Maintenabilit´e - λµ 15, Lille, France, pp. 126–136.

Davis, M. (1984). Piecewise-deterministic Markov processes:

A general class of non-diffusion stochastic models. Journal of the Royal Statistical Society. Series B (Methodological), 353–388.

Devooght, J. & C. Smidts (1992). Probabilistic reactor dynam- ics. I: The theory of continuous event trees. Nuclear Science and Engineering 111(3), 229–240.

Devooght, J. & C. Smidts (1996). Probabilistic dynamics as a tool for dynamic PSA. Reliability Engineering & System Safety 52(3), 185–196.

Distefano, S., F. Longo, & K. Trivedi (2012). Investigating dy- namic reliability and availability through state–space mod- els. Computers & Mathematics with Applications 64, 3701–

3716.

Dufour, F. & Y. Dutuit (2002). Dynamic Reliability: A new model. In Proceedings of 15´eme Colloque National de Fia- bilit´e et maintenabilit´e - λµ 13 - ESREL 2002, Lyon, France, pp. 350–353.

Dutuit, Y., E. Chatelet, J. Signoret, & P. Thomas (1997). Depend- ability modelling and evaluation by using stochastic Petri nets: application to two test cases. Reliability Engineering

& System Safety 55(2), 117–124.

Izquierdo, J., E. Melendez, & J. Devooght (1996). Relationship between probabilistic dynamics and event trees. Reliability Engineering & System Safety 52(3), 197–209.

Labeau, P., C. Smidts, & S. Swaminathan (2000). Dynamic reli- ability: towards an integrated platform for probabilistic risk assessment. Reliability Engineering & System Safety 68(3), 219–254.

Marseguerra, M., E. Zio, J. Devooght, & P.-E. Labeau (1998). A concept paper on dynamic reliability via Monte Carlo sim- ulation. Mathematics and Computers in Simulation 47(2), 371–382.

Moalla, M., J. Pulou, & J. Sifakis (1978). Synchronized Petri nets: A model for the description of non-autonomous sys- tems. Mathematical Foundations of Computer Science 1978, 374–384.

Najafi, M. & R. Nikoukhah (2007). Modeling hybrid automata in Scicos. In Proceedings of Multi-conference on Systems and Control (MSC), Singapore, pp. 1–3.

Perez Casta˜neda, G., J.-F. Aubry, & N. Brinzei (2011). Stochas- tic hybrid automata model for dynamic reliability assess- ment. Proceedings of the Institution of Mechanical Engi- neers, Part O: Journal of Risk and Reliability 225(1), 28–41.

P´erez Casta˜neda, G. A. (2009). Evaluation par simulation de la sˆuret´e de fonctionnement de syst`emes en contexte dynamique hybride. Ph. D. thesis, Institut National Polytechnique de Lorraine, France.

Zhang, H., F. Dufour, Y. Dutuit, & K. Gonzalez (2008). Piece- wise deterministic Markov processes and dynamic reliability.

Proceedings of the Institution of Mechanical Engineers, Part

O: Journal of Risk and Reliability 222(4), 545–551.